The regulatory compliance process can be overwhelming at first. But the HITRUST common security framework (CSF) was designed specifically to streamline regulatory compliance for organizations.
Understanding Phases of HITRUST Certification & All of The Terminology
With the same intention of assisting organizations in understanding HITRUST certification, we have put together a HITRUST glossary. This will provide a complete list of HITRUST terminology you need to get through the various phases of HITRUST assessments and certification phases.
Definitions provided in quotation marks come directly from The HITRUST Alliance Terminology list; any other information is meant purely to provide additional information and examples for those who are new to the HITRUST compliance phases.
Goals – Risk Management & Security Compliance
“The program and supporting processes to manage information protection risk to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations,” and includes:
- Establishing the context for risk-related activities;
- Assessing risk;
- Responding to risk once determined; and
- Monitoring risk over time.”
Risk Management Framework
“A common taxonomy and standard set of processes, procedures, activities, and tools that support the identification, assessment, response, control, and reporting of risk.”
This is a guide created to facilitate efficient and effective risk management through the selection, implementation, assessment and reporting of information and privacy controls. The HITRUST processes outlined by the Risk Management Framework include four steps:
- Identifying risks and defining security requirements,
- Specify controls,
- Implement and manage controls,
- Assess and report.
HITRUST Assurance Program
“The programs and systems for use of the HITRUST framework and tools in connection with data protection assurance assessments according to the standards set forth by HITRUST.”
By joining this program, organizations gain access to compliance assessments and reporting tools for HIPAA, HITECH, federal, state, and industry security requirements. Specifically, the HITRUST framework assists organizations and their business associates with a unified approach to managing security assessments. The HITRUST Assurance Program includes risk management oversight and assessment protocol customized to fit the unique regulatory and business needs of various industries.
Covered entities are individuals, organizations, and companies required to comply with privacy and security regulations protecting sensitive information. These include:
- “Health plans, healthcare clearinghouses, and healthcare providers who transmits any health information in electronic form regarding a HIPAA transaction.”
- “Any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
“A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity, but is not included in the covered entity’s workforce.”
Types of HITRUST Assessments
“A data protection assessment provided by an assessor to organizations in accordance with the HITRUST Assurance Program.” There are multiple types of HITRUST assessments.
A HITRUST readiness assessment (formerly known as a self-assessment) helps an organization evaluates their own ability to comply with the controls listed in preparation for the HITRUST validated assessment. HITRUST will assemble the assessment, but not perform validation of the assessment.
Basic, Current-State (bC) Assessment
This is a new assessment option introduced by HITRUST in late 2021. It’s a verified self-assessment that is aimed at reviewing security hygiene controls and can be applied to organizations of any size. It has a less rigorous approach to evaluation than certified options; although it provides a low level of assurance, it is faster to perform. Because it is not certifiable, it also does not have an expiration date.
HITRUST Validated Assessments
There are now two types of validated HITRUST assessments:
- HITRUST Implemented, 1-Year (i1) Validated Assessment – Successfully completing this type of assessment results in a Validated Assessment + Certification that is valid for 12 months. This assessment option is relatively new; it was added to the HITRUST portfolio in late 2021. Also known as the i1, it is centered around best practices for security in medium to large-sized organizations. Because it has a more rigorous approach to evaluation than the bC assessment, the HITRUST i1 provides a moderate level of assurance.
- HITRUST Risk-Based 2-Year (r2) Validated Assessment – Successfully completing this type of assessment results in a Validated Assessment + Risk-Based Certification that is valid for 24 months. Formerly known as the HITRUST CSF Validated Assessment, since 2021 it now goes by the abbreviation “r2.” It is focused on comprehensive risk-based controls and is fit for organizations of any size. Because it has the most rigorous approach to evaluation, higher than that of the i1 assessment, the HITRUST r2 provides a high level of assurance.
Organizations with a HITRUST Risk-Based, 2-year (“r2”) Validated Certification Report will need to perform an r2 Interim Assessment at the one-year mark to maintain valid certification. One year after achieving HITRUST certification, organizations must pass an interim assessment to verify ongoing compliance with data security controls. After two years, certification must be re-assessed.
Because HITRUST r2 certification expires after 24 months, re-assessment serves to renew an organization’s certification status. Re-assessment verifies that the organization has maintained compliance with the required controls. A full re-assessment must be carried out every two years, or sooner if there has been a data breach or significant change in the operating environment.
Introduced by HITRUST in 2021, this assessment provisions an extension for r2 Certification. The Bridge Assessment enables organizations to earn a certificate to maintain their HITRUST Risk-based, 2-year (“r2”) Certification Report for an extra 90 days, even if their assessment submission due date is missed.
HITRUST Assessment Scoring
Originally termed the HITRUST Common Security Framework; it’s “a framework for managing information security and privacy risks and compliance. It has become the benchmark framework for security and compliance in health care and other industries.”
HITRUST CSF combines the requirements of other existing standards and regulations, including HIPAA, HITECH, PCI, COBIT, NIST, and FTC. By unifying other regulation standards, the HITRUST Common Security Framework (CSF) makes the compliance process more efficient, clear, and cost-effective for organization and their business associates.
This refers to the identified information assets and data flows which must be included in the HITRUST assessment. The scope should be focused in on the workflows which require the use of sensitive data or PHI.
The 14 HITRUST control categories are high-level groupings, founded on ISO 27001 and 27002 and are comprised of the control objectives. They include: Information Security Management Program, Access Control, Human Resources Security, Risk Management, Security Policy, Organization of Information Security, Compliance, Asset Management, Physical and Environmental Security, Communications and Operations Management, Information Systems Acquisition, Development and Maintenance, Information Security Incident Management, Business Continuity Management, and Privacy Practices.
There are 46 control objectives factored into the HITRUST framework. Each is a statement of the goal or purpose to be achieved in relation to the controls within a HITRUST assessment control category.
“The safeguard or countermeasure prescribed for an organization and/or information system(s) to protect the confidentiality, integrity, and availability of information.”
According to HITRUST CSF v9.3, there are 135 common privacy and security controls. HITRUST includes controls required by other regulatory standards, enabling organizations to use this single assessment to certify compliance with multiple requirements. During HITRUST assessments, organizations are scored according to the controls within the set scope.
“Detailed information to support the implementation of the control and meeting the control objective.”
There are three HITRUST implementation levels that describe the level of risk associated with each control. The higher the risk, the greater the control restrictiveness applied. Organizations seeking HITRUST certification must comply with at least the first level. The implementation levels include:
- Organizational Risk,
- Regulatory Risk,
- System Risk.
A risk-based approach based on organizational, regulatory and system profile information is used to determine the customized set of requirement statements that will apply to the organization undergoing assessment. In all, there are 845 requirement statements. In part, the process of identifying which requirements apply to the organization seeking certification helps determine the scope of HITRUST engagement.
The HITRUST Maturity Model, which is an evolution of the PRISMA model, is used to score readiness assessments and validated assessments. Scoring is determined according to the five basic levels: policy, process/procedure, implemented, measured, and managed.
This refers to the maturity level score for a particular HITRUST assessment control.
Control compliance must be scored during both the readiness and validated assessments according to the five levels of the HITRUST Maturity Model.
During the HITRUST assessment, maturity levels are scored for each control – from 0% non-compliance to 100% compliant. The score for each control equals the sum of the products of the weight maturity model level multiplied by the maturity level rating for all the maturity model levels.
The HITRUST Certification Process
Goals of HITRUST Certification
HITRUST certification confirms that the organization has passed the comprehensive security evaluation and maintains compliance with relevant data loss prevention and information risk management regulations. To achieve certification, the organization must work with an authorized HITRUST external assessor and successfully complete one of the two types of HITRUST validated assessment. Once achieved, certification is valid for 24 months. The certification process has four main steps:
- Readiness Assessment,
- Validated Assessment,
- HITRUST Quality Assurance.
This is the first phase of the HITRUST certification process. The readiness phase is useful for companies that are preparing for certification or wish to take advantage of the standard security methodology, requirements, and tools but aren’t required to complete the validation and certification process.
This is the second phase of the HITRUST certification process. The objective of remediation is to identify and prioritize gaps between the organization’s current controls and the required standards. It provides valuable insight and the opportunity to improve before progressing to the validated assessment.
“An evaluation conducted against the HITRUST framework under the Assurance Program, in which the results are (i) checked for accuracy and completeness by a HITRUST Approved Assessor organization; and (ii) undergo a quality assurance review by HITRUST.” See above for the two types of Validated Assessments available.
This is the third phase of the HITRUST certification process. The validated assessment involves sampling, testing, and scoring the controls within the scope, interviewing related employees, verifying documentation. The scores provided based on control maturity determine compliance.
Quality Assurance Review
“The complete set of measures and procedures used by the organization to ensure that the services provided continue to fulfill the expectations of the customer as described in relevant agreements.”
This is the fourth phase of the HITRUST certification process. Completed validated assessment are submitted to HITRUST for their quality assurance review and generation of the final report.
Corrective Action Plan
Following the completion of the HITRUST assessment, during the Quality Assurance Phase, the organization is provided with a report of the assessment results. Contained in the report, it is also provided with remediation activities that should be tracked in corrective action plans (CAPs).
The assessment and corrective action plan management platform provided by the HITRUST Alliance. MyCSF® is an Saas information risk management platform specifically designed to help organizations assess and report information risk and compliance with international, federal, and state regulations concerning privacy and security.
Roles Involved in the HITRUST Certification Process
The project coordinator is an internal figure appointed by the organization undergoing HITRUST assessment. The role of the project coordinator is to lead the work team in meeting the goals and expectations set for assessment. He or she is responsible for collecting documentation, organizing interviews, and verifying participation.
HITRUST Approved Assessor
“An organization that has been approved by HITRUST for performing assessments and services associated with the HIRUST Assurance Program and the HITRUST CSF. HITRUST Approved Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with data protection control requirements and document corrective action plans that align with the HITRUST framework.”
Authorized HITRUST assessors – like I.S. Partners, LLC. – work with organizations of all sizes and in a wide variety of industries. Ultimately, they verify compliance with security control requirements and help the organization to develop remediation plans to achieve compliance and certification.
Are certified HITRUST quality professionals (CHQP) who manage the organization and provide support as they go through the HITRUST assessment process. HITRUST Engagement Executives are responsible for the financial results of the assessment and monitoring engagement. They also review and approve the scope and test plan and check testing results.
Are CHQPs who work with the Engagement Executive and the Project Coordinator. The role of the lead includes documenting the scope, designing the test plan, identifying the sampling criteria and coordinating fieldwork. The appointed Engagement Lead also oversees testing, analyzes results, and provides documentation of the results.
Quality Assurance Reviewer
The role of this type of CCSFP (Certified Common Security Framework Practitioner) is to review the Assessor Quality Checklist and completed procedures submitted for HITRUST assessment.
I.S. Partners, LLC. – Authorized HITRUST External Assessor
Since 2016, our firm has been an authorized HITRUST external assessor working with companies – around the country – of all different sizes and complexities. We assist organizations through the entire HITRUST preparation, readiness, certification, and remediation phases of HITRUST.
Learn about our full range of services to assist you in becoming HITRUST certified. Contact I.S. Partners, LLC. for more information by filling out the request form below.